Password protect Grub menu

grub

Grub has been for a few years the GNU / Linux bootloader, and it has managed to surpass in performance and configuration possibilities the revered LILO, the first that the users of the great free operating system met. But of course, more possibilities imply that those who have physical access to the team will also have them, so it is not a bad idea to think about improve security, and that is what we are going to show in this post.

The idea is power add password to Grub menu, so that no one except those who know it can access certain parts of the bootloader, such as logging into recovery mode and other menu options and simply leaving the possibility of starting the computer in normal mode available (so that other users can boot and use it, but without 'touching' anything in Grub).

Let's see first how to put password to Grub menu, which will completely eliminate the possibility of editing the parameters that are passed to it and thus modify its functionality. For this we must open a terminal window (Ctrl + Alt + T) and execute:

 

grub-md5-crypt

We push "Enter" and we will be asked for a password. We choose one and confirm it, and after that the command offers us a string of the style ‘$1$f/Nfq$1YrrUM0adYBh/xHCj2UEB1’. What we have to do next is open the file /boot/grub/menu.lst for editing:

sudo nano /boot/grub/menu.lst

We add, just before the list of boot entries, the command 'password' followed by two dashes and the string that the previous command gave us. So we have something like this:

password --$1$f/Nfq$1YrrUM0adYBh/xHCj2UEB1

We save the file and it will no longer be possible to access the edition of Grub parameters, unless we enter the letter «P» and then the password that we have chosen in the previous steps.

If instead of blocking the input of parameters we want to do it for a specific entry in the Grub menu, what we do is copy the mentioned line and then copy it between the lines 'title' y 'root'.


3 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   YES AC said

    Great, this comes from "pearls." Thanks, I always read them, but I don't comment. With exceptions.

  2.   mircocaloghero said

    It seems that it was yesterday when 28 presses of the backspace key allowed this protection to be skipped ...

  3.   romell said

    Good morning Community, I am a bit new to this GNU / Linux issue, yesterday I installed Elementary Os from a USB on my machine, everything worked normally, when I restarted the machine I got this message and it did not let me start the system , I was rambling on the web, but I did not find anything concrete on how to fix it or start the system, if someone could help me with this issue I would appreciate it, greetings, Pura vida!